OCSP_REQUEST *req = NULL;
OCSP_RESPONSE *resp = NULL;
OCSP_BASICRESP *basic = NULL;
- X509_STORE *store = 0;
+ X509_STORE *store = NULL;
int rc = 0, reason = 0, ssl = 0, status = 0;
char *host = NULL, *path = NULL, *port = NULL;
OCSP_CERTID *id = NULL;
goto end;
if (USENONCE && OCSP_check_nonce(req, basic) <= 0)
goto end;
+ /* TODO is this compulsory? */
store = canl_create_x509store(data->store);
if (!store)
goto end;
- /* The second parametr (verify_other) and the last one may be used
- when OCSP API is fully defined*/
+
+ /* The last param. may be used when OCSP API is fully defined*/
rc = OCSP_basic_verify(basic, verify_other, store, verify_flags);
if (rc < 0)
rc = OCSP_basic_verify(basic, NULL, store, 0);
return set_error(cc, ERR_get_error(), SSL_ERROR,
"Failed to create SSL connection context");
- /* TODO !!!!!!!!!!
- * if SSL_VERIFY_NONE, then we cannot extract peer cert. of ssl
- * if SSL_VERIFY_PEER, then client cert verification is mandatory!!!*/
- SSL_set_verify(ssl, SSL_VERIFY_PEER, proxy_verify_callback);
+ if (CANL_SSL_VERIFY_NONE & m_ctx->flags)
+ SSL_set_verify(ssl, SSL_VERIFY_NONE, proxy_verify_callback);
+ else
+ SSL_set_verify(ssl, SSL_VERIFY_PEER, proxy_verify_callback);
- if (!(CANL_ACCEPT_SSLv2 & m_ctx->flags))
+ if (!(CANL_SSL_ACCEPT_SSLv2 & m_ctx->flags))
SSL_set_options(ssl, SSL_OP_NO_SSLv2);
"Failed to create SSL connection context");
SSL_set_connect_state(ssl);
+
+ if (CANL_SSL_VERIFY_NONE & m_ctx->flags)
+ SSL_set_verify(ssl, SSL_VERIFY_NONE, proxy_verify_callback);
+ else
+ SSL_set_verify(ssl, SSL_VERIFY_PEER, proxy_verify_callback);
- SSL_set_verify(ssl, SSL_VERIFY_PEER, proxy_verify_callback);
- if (!(CANL_ACCEPT_SSLv2 & m_ctx->flags))
+ if (!(CANL_SSL_ACCEPT_SSLv2 & m_ctx->flags))
SSL_set_options(ssl, SSL_OP_NO_SSLv2);
if (m_ctx->cert_key) {
return err;
}
+
+canl_err_code
+canl_ctx_set_ssl_flags(canl_ctx cc, unsigned int flags)
+{
+ glb_ctx *glb_cc = (glb_ctx*) cc;
+ mech_glb_ctx *m_ctx = (mech_glb_ctx *)glb_cc->mech_ctx;
+
+ if (!m_ctx)
+ return set_error(cc, EINVAL, POSIX_ERROR, "SSL context not"
+ " initialized");
+
+ if (!cc)
+ return EINVAL;
+
+ m_ctx->flags |= flags;
+ return 0;
+}
+
canl_err_code
canl_ctx_set_crl_dir(canl_ctx cc, const char *dir)
{
return set_error(cc, ENOMEM, POSIX_ERROR, "Not enough memory");
subject = X509_get_subject_name(cert);
- if (CANL_DN_OSSL & m_ctx->flags)
+ if (CANL_SSL_DN_OSSL & m_ctx->flags)
ret = X509_NAME_print_ex(name_out, subject, 0, 0);
else
ret = X509_NAME_print_ex(name_out, subject, 0, XN_FLAG_RFC2253);
#endif
typedef enum canl_ctx_ssl_flags {
- CANL_ACCEPT_SSLv2 = 0x0001,
- CANL_DN_OSSL = 0x0002,
+ CANL_SSL_ACCEPT_SSLv2 = 0x0001,
+ CANL_SSL_DN_OSSL = 0x0002,
+ CANL_SSL_VERIFY_NONE = 0x0004,
} canl_ctx_ssl_flags;
-canl_ctx CANL_CALLCONV
+canl_err_code CANL_CALLCONV
canl_ctx_set_ssl_flags(canl_ctx, unsigned int);
canl_err_code CANL_CALLCONV
git://scientific.zcu.cz / jra1mw.git / commitdiff